Tutorial: Using AWS Lambda with AWS CloudTrail

In this scenario, AWS CloudTrail will maintain records (logs) of AWS API calls made
on your account and notify you
anytime an API call is made to create an SNS topic. As API calls are made in your
account, CloudTrail writes logs to an
Amazon S3 bucket that you configured. In this scenario, you want Amazon S3 to publish
the object-created events to AWS Lambda
and invoke your Lambda function as CloudTrail creates log objects.

When Amazon S3 invokes your Lambda function, it passes an S3 event identifying, among
other things, the bucket name
and key name of the object that CloudTrail created. Your Lambda function can read
the log object, and it knows the API
calls that were reported in the log.

Each object CloudTrail creates in your S3 bucket is a JSON object, with one or more
event records. Each record, among
other things, provides eventSource and eventName.

For illustration, the Lambda function notifies you by email if an API call to create
an Amazon SNS topic is reported
in the log. That is, when your Lambda function parses the log, it looks for records
with the following:

eventSource = "sns.amazonaws.com"

eventName = "CreateTopic"

If found, it publishes the event to your Amazon SNS topic (you configure this topic
to notify you by email).

Your Lambda function uses an S3 event that provides the bucket name and key name of
the object CloudTrail created. Your
Lambda function then reads that object to process CloudTrail records.

Prerequisites

This tutorial assumes that you have some knowledge of basic Lambda operations and
the Lambda console. If you
haven't already, follow the instructions in Getting Started with AWS Lambda to create your first Lambda function.

To follow the procedures in this guide, you will need a command line terminal or shell
to run commands. Commands are shown in
listings preceded by a
prompt symbol ($) and the name of the current directory, when appropriate:

~/lambda-project$ this is a command
this is output

For long commands, an escape character (\) is used to split a command over multiple lines.

Turn on CloudTrail

In the AWS CloudTrail console, turn on the trail in your account by specifying
examplebucket in the us-west-2 region for CloudTrail to save logs. When
configuring the trail, do not enable SNS notifications.

Add Permissions to the Function
Policy

Add permissions to the Lambda function's resource policy to allow Amazon S3 to invoke
the function.

Run the following add-permission command to grant Amazon S3 service principal
(s3.amazonaws.com) permissions to perform the lambda:InvokeFunction action. Note
that permission is granted to Amazon S3 to invoke the function only if the following
conditions are met:

An object-created event is detected on a specific bucket.

The bucket is owned by a specific AWS account. If a bucket owner deletes a bucket,
some other AWS
account can create a bucket with the same name. This condition ensures that only a
specific AWS account
can invoke your Lambda function.